{ config, lib, options, pkgs, ... }:

let
  cfg = config.sydnix.deertopia.nginx;
in
{
  options.sydnix.deertopia.nginx = {
    enable = lib.mkEnableOption "Nginx";

    root = lib.mkOption {
      type = lib.types.path;
      description = "deertopia.net's root directory.";
      default = "/persist/deertopia.net";
    };

    group = lib.mkOption {
      type = lib.types.str;
      description =
        "The owning group of deertopia.net's root directory.";
      default = "nginx";
    };

    user = lib.mkOption {
      type = lib.types.str;
      description =
        "The owning user of deertopia.net's root directory.";
      default = "nginx";
    };

    vhosts = lib.mkOption {
      # NOTE: `name` shouldn't contain spaces.
      type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: {
        options = {
          enable = lib.mkOption {
            description = "Enable ${name}.deertopia.net.";
            default = true;
            type = lib.types.boolean;
          };
          directory = lib.mkOption {
            description = "Host's root directory.";
            type = lib.types.str;
            default = "${cfg.root}/${name}";
          };
          vhostName = lib.mkOption {
            type = lib.types.str;
            default = "${name}.deertopia.net";
          };
          vhost = lib.mkOption {
            description = ''
              Virtual host settings, passed directly to the NixOS's Nginx
              module.
            '';
            type = lib.types.anything;
          };
        };
      }));
    };
  };

  config = lib.mkIf cfg.enable {
    services.nginx.enable = true;

    networking.firewall.allowedTCPPorts = [
      80  # HTTP
      443 # HTTPS
    ];

    # With this section, virtual hosts declared through the Nginx NixOS module
    # will automatically request ACME SSL certificates and configure systemd
    # timers to renew the certificate if required.  See the article on the NixOS
    # wiki, from which I've nabbed the following snippet:
    # https://nixos.wiki/wiki/Nginx#Let.27s_Encrypt_certificates
    security.acme = {
      acceptTerms = true;
      defaults.email = "lomiskiam@gmail.com";
    };

    services.nginx.virtualHosts =
      builtins.listToAttrs
        (builtins.map
          (k: {
            name = cfg.vhosts.${k}.vhostName;
            value = cfg.vhosts.${k}.vhost // {
              root = cfg.vhosts.${k}.directory;
            };
          })
          (builtins.attrNames cfg.vhosts));

    # services.nginx.virtualHosts."deertopia.net" = {
    #   root = "${cfg.www.root}/www";

    #   # addSSL = true;
    #   forceSSL = true;
    #   enableACME = true;

    #   locations."/" = {
    #     index = "index.html";
    #   };
    # };

    system.activationScripts.initialiseDeertopiaRoot.text =
      let
        directories =
          builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts);
        inherit (cfg) root group user;
      in ''
        mkdir -p "${root}"
        chown -R "${user}:${group}" "${root}"
        chmod -R 775 "${root}"

        dirs=(${builtins.concatStringsSep " " (map (x: "'${x}'") directories)})
        for i in "''${dirs[@]}"; do
          mkdir -p "$i"
          chown -R "${user}:${group}" "$i"
          chmod -R 775 "$i"
        done
    '';
  };
}